Bug 1274196 - RFE: configure iptables rules on overcloud hosts [NEEDINFO]
RFE: configure iptables rules on overcloud hosts
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-heat-templates (Show other bugs)
7.0 (Kilo)
Unspecified Unspecified
high Severity high
: rc
: 10.0 (Newton)
Assigned To: Ben Nemec
Ofer Blaut
: FutureFeature, Reopened, Triaged
: 1284080 (view as bug list)
Depends On:
Blocks: 1350510 1305123
  Show dependency treegraph
Reported: 2015-10-22 04:51 EDT by Ofer Blaut
Modified: 2016-12-14 10:16 EST (History)
12 users (show)

See Also:
Fixed In Version: openstack-tripleo-heat-templates-5.0.0-1.1.el7ost
Doc Type: Enhancement
Doc Text:
With this update, the iptables firewall on the overcloud controller nodes are enabled to ensure better security. As a result, the necessary ports are opened so that overcloud services will continue to function as before.
Story Points: ---
Clone Of:
: 1305123 (view as bug list)
Last Closed: 2016-12-14 10:16:44 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
oblaut: needinfo? (achernet)

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 191195 None None None Never
OpenStack gerrit 321833 None None None 2016-06-16 15:47 EDT
OpenStack gerrit 330249 None None None 2016-06-16 15:47 EDT
OpenStack gerrit 330759 None None None 2016-06-16 15:47 EDT
OpenStack gerrit 330760 None None None 2016-06-16 15:47 EDT
OpenStack gerrit 383477 None None None 2016-10-27 05:58 EDT

  None (edit)
Description Ofer Blaut 2015-10-22 04:51:18 EDT
Description of problem:

We should configure iptables rules on ospd overcloud hosts .

upstream patch - https://review.openstack.org/#/c/191195/

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.run sudo iptables  -S  on  controllers/computes/ceph 

Actual results:

Expected results:

Additional info:
Comment 2 Mike Burns 2015-11-23 07:48:53 EST
*** Bug 1284080 has been marked as a duplicate of this bug. ***
Comment 3 Dan Sneddon 2016-02-04 10:59:32 EST
(In reply to Ofer Blaut from comment #0)
> Description of problem:
> We should configure iptables rules on ospd overcloud hosts .

Perhaps we should use iptables rules on OSPD overcloud hosts, but the stated reason for using iptables here is based on a faulty assumption.

The problem is that the system is accepting route advertisements from the router, and adding a route, even if there is no IP on the interface.

In order to turn this behavior on/off, you can edit /proc/sys/net/ipv6/conf/default/accept_ra to be "0" instead of "1".

You can also turn it on/off on a per-interface basis, e.g.:
echo "1" > /proc/sys/net/ipv6/conf/eth0/accept_ra
Comment 4 Keith Basil 2016-02-05 11:22:55 EST
I would accept Dan Sneddon's suggestion as the fix here.  This doesn't seem like we need to take on iptables config work.   And, if we did, the specifications around what we need to solve are not presented here.

I would suggest we open a new BZ to solve for the route advertisement problem specifically.
Comment 8 Mike Burns 2016-04-07 16:54:03 EDT
This bug did not make the OSP 8.0 release.  It is being deferred to OSP 10.
Comment 10 Emilien Macchi 2016-06-16 15:49:51 EDT
Ofer, yes, we're still working on it. I did initial work last year and now Ben is working on enabling the feature by default. I updated the list of patches that we need to make this feature really working.
Comment 13 Jaromir Coufal 2016-10-27 04:39:10 EDT
Comment 14 James Slagle 2016-10-27 06:01:05 EDT
note the fix for the overcloud is in tripleo-heat-templates, not instack-undercloud
Comment 19 errata-xmlrpc 2016-12-14 10:16:44 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.